Payer Covid-19 Screening Policies and Boosting Your Online Security
June 17, 2022
Urgent care clinics are accustomed to responding to constant change – in volume, in coding policy, and in patient demands. COVID-19 continues to drive patients into clinics for screening and diagnostic testing, but with the pandemic transitioning to endemic, payers are looking at claims differently. In this post we update you on COVID-19 screening payer policies and look at how another change – more remote staffers – is driving a need for greater online security. Find out tips for fortifying your security with virtual private networks and strict password policies. We also run through timely updates on the healthcare industry at large.
As we transition from pandemic to endemic, it’s important to be aware that there are changes to the way payers are covering COVID-19 testing specific to screenings.
The Families First Coronavirus Response Act (FFCRA) and the Coronavirus Aid, Relief, and Economic Security Act (CARES) require some insurance plans to cover diagnostic testing. It does not require that plans cover screenings that are not medically necessary.
To review, screenings are performed for administrative purposes only. Patients seeking COVID-19 screening tests are asymptomatic and have not been exposed.
Private payers have begun to issue guidance and scrutinize these claims via pre- and post-payment review.
The Official ICD-10 Guidelines state that a screening diagnosis is “generally not appropriate” during a Public Health Emergency (PHE) where anyone could have been exposed. As the pandemic evolves, more patients are being seen for screenings (e.g., for travel) than during the time this diagnosis guidance was issued. Now, it would be appropriate to use the ICD-10 code Z11.52 for screenings.
Most payers will deny claims billed with ICD-10 Z11.52 as non-covered, and the patient will be responsible for full payment. Use of another diagnosis would not withstand a payer review. It may be time to consider making COVID-19 screenings a cash service.
To support medical necessity and to minimize payer reviews for diagnostic COVID-19 testing, Experity recommends that providers utilize the screening questions in the EMR to document symptoms, exposure, and vaccination status. Additional diagnoses should be submitted on the claim to identify any symptoms or high-risk factors. For unvaccinated patients, Experity suggests you report under-immunization status with either ICD-10 code Z28.310 (unvaccinated) or Z28.311 (partially vaccinated).
Experity will continue to monitor for payer changes as the COVID-19 landscape is still dynamic. Look for updates in The Balance Sheet.
Many urgent care roles require staff to be in clinic, but some jobs can, and likely are, being performed remotely. Your remote workers need to be able to access important information to cross items off their to-do lists – and they need to be able to do it securely.
Virtual Private Networks (VPNs) provide secure connectivity to your internal network and systems. VPNs are critically important to establishing secure external connections from employee devices to your healthcare organization’s internal network and data. However, like many technologies, VPNs have their own vulnerabilities, which include:
VPN misconfiguration: A misconfigured VPN can allow an unauthorized connection, leaving you at risk of a data breach or ransomware infection.
Missing patches: Promptly applying software and security patches to your VPN as soon they become available helps safeguard against threat actors attempting to exploit vulnerabilities.
Endpoint connections: VPNs do help protect the network, but not the endpoint connecting to a healthcare internal system through the VPN. In other words, the VPN protection ends at the user’s laptop, tablet, or other devices. Enforce security controls on any device (endpoint) that will connect to your organization’s internal network through the VPN.
Passwords are essential to keeping access to protected health information (PHI) and user accounts safe from unauthorized access and disclosure. However, too many users are unaware of or are negligent of proper password policies. According to one Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches used stolen and/or weak passwords. Stronger passwords mean stronger security for your organization.
Here are some shareable password tips:
A strong password is an excellent step in protecting your healthcare organization’s data, but multifactor authentication (MFA) adds greater security. Used together with the user’s password, MFA adds extra layers of protection to the sign-in process, so the user can be securely granted access to internal resources. Depending on the MFA application, the user may need to supply a password or personal identification number (PIN), a badge or smartphone, or biometric verification (fingerprint).
Before your remote staff log in to the VPN, IT staff must ensure not only that remote patient monitoring (RPM) devices are secure before they go home with patients, but also that your workforce understands what’s at stake. A solid password policy with MFA should be in place before your employees can work from home. Additionally, protocols should be instituted to bolster compliance and digital vigilance, protecting your organization’s internal network and data — and your patients.
During the summer, children are generally more active outdoors, and their skin receives more exposure to the elements and environmental hazards. Your urgent care clinic may be filling up with more pint-size patients exhibiting worrisome rashes or reactions.
Make sure you know how to code these common pediatric skin complaints so you can keep claims moving through your system.
How is characterized? Patients present with a fever followed by a rash like measles, but which spreads peripherally from the trunk.
How is it coded? To code this condition correctly, you’ll turn to the B08.2- (Exanthema subitum [sixth disease]) codes, all of which have the synonym roseola infantum.
Hot tip: You’ll need to add a fifth character to specify the infectious agent causing the condition. If your clinician does not specify the agent, you’ll use B08.20 (Exanthema subitum [sixth disease], unspecified), the unspecified roseola infantum code. But testing may reveal the roseola has been caused by human herpesvirus 6, its most common cause according to the American Family Physician. In this case, you’ll code B08.21 (Exanthema subitum [sixth disease] due to human herpesvirus 6).
How is characterized? Most often, patients present with a single lesion, often referred to as a herald patch, on the trunk. The patch is usually rose-hued and shaped like an oval.
How is it coded? Simply assign L42 (Pityriasis rosea).
How is characterized? The rash spreads from the upper trunk to the rest of the body after the child first develops a fever and sore throat.
How is it coded? You will use a code from A38.- (Scarlet fever).
Hot tip: The A38.- codes are combination codes, so if your clinician documents scarlet fever with another related condition, you could use one of the following:
And if your clinician does not document a related condition, you’ll A38.9 (Scarlet fever, uncomplicated).
How is characterized? The rash takes the form of blisters, usually on the extremities or face. The blisters eventually burst and become infected, usually creating pus that hardens to form a yellow crust.
How is it coded? You’ll find the impetigo codes in the L01.- (Impetigo) group.
Hot tip: Most impetigo is of the nonbullous, or crusted, type, coded to L01.01 (Non-bullous impetigo)
How is characterized? The rash associated with this infection looks like the child’s face has been slapped. The rash usually follows a few days after the child develops a general malaise and a low-grade fever.
How is it coded? Again, code assignment for this diagnosis is simple, and you will only need to use B08.3 (Erythema infectiosum [fifth disease]).
How is characterized? Like impetigo, this rash takes the form of tiny, pearlescent skin-colored blisters that appear in small groups around the body.
How is it coded? Simply use B08.1 (Molluscum contagiosum).
How is characterized? This condition is easily identified by its circular patches with scaly borders and a hollow center, which are most commonly referred to as ringworm.
How is it coded? You’ll find all the codes you need for tinea infections in the B35 (Dermatophytosis) group.
Hot tip: The tinea codes are differentiated by location, so use the following chart to find the precise code associated with the area of the patient’s body affected by the rash:
| Location | Code |
| Body | B35.4 (Tinea corporis) |
| Feet | B35.3 (Tinea pedis) |
| Groin | B35.6 (Tinea cruris) |
| Hands | B35.2 (Tinea manuum) |
| Nails | B35.1 (Tinea unguium) |
| Scalp | B35.0 (Tinea barbae and tinea capitis) |
How is characterized? This skin condition can present in several different ways, including lesions, blisters, scaliness, and even dry skin.
How is it coded? This is probably the most difficult of all skin conditions to code because some clinicians may use the term atopic dermatitis as a synonym for eczema. Nominally, you’ll choose a code from L20.- (Atopic dermatitis) such as L20.83 (Infantile (acute) (chronic) eczema). However, there is a clinical difference between atopic dermatitis and eczema, and you will have to verify with your clinician whether a code from L30.- (Other and unspecified dermatitis) is more appropriate.
Be sure providers are coding specifically and including details whenever possible. Try to provide a definitive versus broad diagnosis.
On May 2, 2022, Blue Cross and Blue Shield of Oklahoma (BCBSOK) updated its policy on assigning effective dates to join the networks for professional providers.
Previously, contracts went into effect the first day of the following month. You will still be notified of your official effective date by mail, email or contact by your provider network representative.
Blue Cross and Blue Shield of North Carolina (Blue Cross NC) is experiencing significant delays in enrolling new providers due to higher volume for several months.
Therefore, they are offering a time limited opportunity to file an Enrollment Pending Claims Filing Exception form. This allows practices to bill under another participating provider within your group practice while waiting for enrollment completion. See the FAQs (Frequently Asked Question) for the intended use and instructions.
They ask that practices not resend requests and to not file any provider claims if the provider has not been fully enrolled and if you have not received confirmation of enrollment via a Welcome Letter.
This will continue until their turnaround times for enrollments are back to normal.
Medicare has reported that one of the common errors found when they audit is the incorrect documenting of changes/corrections of medical records.
All services are expected to be documented in the medical record at the time they are rendered. When late entries or corrections are required, the following principles must be followed:
Records sourced from electronic systems containing amendments, corrections or delayed entries must:
Auditors will not consider any entries that do not comply with these principles which could result in claim denial or recoupment. For more information, go to https://www.ngsmedicare.com/web/ngs/cert-details?selectedArticleId=1723583&lob=96664&state=97178®ion=93623&rgion=93623.
This would also apply to Medicare Advantage plans and other government plans.
Interested in more urgent care tips, best practices, and industry updates? Check out our March and April installments.
Interested in more? Our RCM experts use smart solutions and best practices to stay on top of revenue cycles and reimbursement.
Join over 20,000 healthcare professionals who receive our monthly newsletter.
Join over 20,000 healthcare professionals who receive our monthly newsletter.